Conditions | 75 |
Paths | > 20000 |
Total Lines | 211 |
Code Lines | 117 |
Lines | 0 |
Ratio | 0 % |
Changes | 1 | ||
Bugs | 1 | Features | 0 |
Small methods make your code easier to understand, in particular if combined with a good name. Besides, if your method is small, finding a good name is usually much easier.
For example, if you find yourself adding comments to a method's body, this is usually a good sign to extract the commented part to a new method, and use the comment as a starting point when coming up with a good name for this new method.
Commonly applied refactorings include:
If many parameters/temporary variables are present:
1 | <?php |
||
8 | function protector_postcommon() |
||
9 | { |
||
10 | global $xoopsUser, $xoopsModule; |
||
11 | |||
12 | $uname = Request::getString('uname', '', 'POST'); |
||
13 | $pass = Request::getString('pass', '', 'POST'); |
||
14 | $autologin_uname = Request::getString('autologin_uname', '', 'COOKIE'); |
||
15 | $autologin_pass = Request::getString('autologin_pass', '', 'COOKIE'); |
||
16 | |||
17 | // patch for 2.2.x from xoops.org (I know this is not so beautiful...) |
||
18 | if (defined('XOOPS_VERSION') && substr(XOOPS_VERSION, 6, 3) > 2.0) { |
||
19 | $requestUri = Request::getString('REQUEST_URI', '', 'SERVER'); // Fetch the REQUEST_URI from the server superglobal |
||
20 | if (false !== stripos($requestUri, 'modules/system/admin.php?fct=preferences')) { |
||
21 | /** @var XoopsModuleHandler $module_handler */ |
||
22 | $module_handler = xoops_getHandler('module'); |
||
23 | |||
24 | // Fetch the 'mod' parameter from the GET request and cast it to an integer |
||
25 | $mod = Request::getInt('mod', 0, 'GET'); |
||
26 | |||
27 | /** @var XoopsModule $module */ |
||
28 | $module = 0 !== $mod ? $module_handler->get($mod) : null; |
||
29 | |||
30 | if (is_object($module)) { |
||
31 | $module->getInfo(); |
||
32 | } |
||
33 | } |
||
34 | } |
||
35 | |||
36 | // configs writable check |
||
37 | $requestUriForWritableCheck = Request::getString('REQUEST_URI', '', 'SERVER'); |
||
38 | if ($requestUriForWritableCheck === '/admin.php' && !is_writable(dirname(__DIR__) . '/configs')) { |
||
39 | trigger_error('You should turn the directory ' . dirname(__DIR__) . '/configs writable', E_USER_WARNING); |
||
40 | } |
||
41 | |||
42 | // Protector object |
||
43 | require_once dirname(__DIR__) . '/class/protector.php'; |
||
44 | $db = XoopsDatabaseFactory::getDatabaseConnection(); |
||
45 | $protector = Protector::getInstance(); |
||
46 | $protector->setConn($db->conn); |
||
47 | $protector->updateConfFromDb(); |
||
48 | $conf = $protector->getConf(); |
||
49 | if (empty($conf)) { |
||
50 | return true; |
||
51 | } // not installed yet |
||
52 | |||
53 | // phpmailer vulnerability |
||
54 | // http://larholm.com/2007/06/11/phpmailer-0day-remote-execution/ |
||
55 | if (in_array(substr(XOOPS_VERSION, 0, 12), ['XOOPS 2.0.16', 'XOOPS 2.0.13', 'XOOPS 2.2.4'])) { |
||
56 | /** @var XoopsConfigHandler $config_handler */ |
||
57 | $config_handler = xoops_getHandler('config'); |
||
58 | $xoopsMailerConfig = $config_handler->getConfigsByCat(XOOPS_CONF_MAILER); |
||
59 | if ($xoopsMailerConfig['mailmethod'] === 'sendmail' && md5_file(XOOPS_ROOT_PATH . '/class/mail/phpmailer/class.phpmailer.php') === 'ee1c09a8e579631f0511972f929fe36a') { |
||
60 | echo '<strong>phpmailer security hole! Change the preferences of mail from "sendmail" to another, or upgrade the core right now! (message by protector)</strong>'; |
||
61 | } |
||
62 | } |
||
63 | |||
64 | // global enabled or disabled |
||
65 | if (!empty($conf['global_disabled'])) { |
||
66 | return true; |
||
67 | } |
||
68 | |||
69 | // group1_ips (groupid=1) |
||
70 | if (is_object($xoopsUser) && in_array(1, $xoopsUser->getGroups())) { |
||
71 | $group1_ips = $protector->get_group1_ips(true); |
||
72 | if (implode('', array_keys($group1_ips))) { |
||
73 | $group1_allow = $protector->ip_match($group1_ips); |
||
74 | if (empty($group1_allow)) { |
||
75 | die('This account is disabled for your IP by Protector.<br>Clear cookie if you want to access this site as a guest.'); |
||
76 | } |
||
77 | } |
||
78 | } |
||
79 | |||
80 | // reliable ips |
||
81 | $remoteAddr = Request::getString('REMOTE_ADDR', '', 'SERVER'); |
||
82 | $reliable_ips = isset($conf['reliable_ips']) ? unserialize($conf['reliable_ips'], ['allowed_classes' => false]) : null; |
||
83 | |||
84 | if (is_array($reliable_ips)) { |
||
85 | foreach ($reliable_ips as $reliable_ip) { |
||
86 | if (!empty($reliable_ip) && preg_match('/' . $reliable_ip . '/', $remoteAddr)) { |
||
87 | return true; |
||
88 | } |
||
89 | } |
||
90 | } |
||
91 | |||
92 | // user information (uid and can be banned) |
||
93 | $can_ban = true; |
||
94 | $uid = 0; |
||
95 | |||
96 | if (isset($xoopsUser) && is_object($xoopsUser)) { |
||
97 | $uid = $xoopsUser->getVar('uid'); |
||
98 | $userGroups = $xoopsUser->getGroups(); |
||
99 | $bip_except = isset($conf['bip_except']) ? unserialize($conf['bip_except'], ['allowed_classes' => false]) : []; |
||
100 | |||
101 | $can_ban = (!empty($userGroups) && !empty($bip_except)) ? (count(array_intersect($userGroups, $bip_except)) ? false : true) : true; |
||
102 | } else { |
||
103 | // login failed check |
||
104 | if ((!empty($uname) && !empty($pass)) || (!empty($autologin_uname) && !empty($autologin_pass))) { |
||
105 | $protector->check_brute_force(); |
||
106 | } |
||
107 | } |
||
108 | |||
109 | // CHECK for spammers IPS/EMAILS during POST Actions |
||
110 | if (isset($conf['stopforumspam_action']) && $conf['stopforumspam_action'] !== 'none') { |
||
111 | $protector->stopforumspam($uid); |
||
112 | } |
||
113 | |||
114 | // If precheck has already judged that they should be banned |
||
115 | if ($can_ban && $protector->_should_be_banned) { |
||
116 | $protector->register_bad_ips(); |
||
117 | } elseif ($can_ban && $protector->_should_be_banned_time0) { |
||
118 | $protector->register_bad_ips(time() + $protector->_conf['banip_time0']); |
||
119 | } |
||
120 | |||
121 | // DOS/CRAWLER skipping based on 'dirname' or getcwd() |
||
122 | $dos_skipping = false; |
||
123 | $skip_dirnames = isset($conf['dos_skipmodules']) ? explode('|', $conf['dos_skipmodules']) : []; |
||
124 | if (!is_array($skip_dirnames)) { |
||
125 | $skip_dirnames = []; |
||
126 | } |
||
127 | if (isset($xoopsModule) && is_object($xoopsModule)) { |
||
128 | if (in_array($xoopsModule->getVar('dirname'), $skip_dirnames)) { |
||
129 | $dos_skipping = true; |
||
130 | } |
||
131 | } else { |
||
132 | foreach ($skip_dirnames as $skip_dirname) { |
||
133 | if ($skip_dirname && false !== strpos(getcwd(), $skip_dirname)) { |
||
134 | $dos_skipping = true; |
||
135 | break; |
||
136 | } |
||
137 | } |
||
138 | } |
||
139 | |||
140 | // module can control DoS skipping |
||
141 | if (defined('PROTECTOR_SKIP_DOS_CHECK')) { |
||
142 | $dos_skipping = true; |
||
143 | } |
||
144 | |||
145 | // DoS Attack |
||
146 | if (empty($dos_skipping) && !$protector->check_dos_attack($uid, $can_ban)) { |
||
147 | $protector->output_log($protector->last_error_type, $uid, true, 16); |
||
148 | } |
||
149 | |||
150 | // check session hi-jacking |
||
151 | $masks = $conf['session_fixed_topbit'] ?? null; |
||
152 | if (is_string($masks)) { |
||
153 | $maskArray = explode('/', $masks); |
||
154 | } else { |
||
155 | $maskArray = []; // Or some default value that makes sense for your application |
||
156 | } |
||
157 | $ipv4Mask = empty($maskArray[0]) ? 24 : $maskArray[0]; |
||
158 | $ipv6Mask = $maskArray[1] ?? 56; |
||
159 | $ip = \Xmf\IPAddress::fromRequest(); |
||
160 | $maskCheck = true; |
||
161 | if (isset($_SESSION['protector_last_ip'])) { |
||
162 | $maskCheck = $ip->sameSubnet($_SESSION['protector_last_ip'], $ipv4Mask, $ipv6Mask); |
||
163 | } |
||
164 | if (!$maskCheck) { |
||
165 | if (is_object($xoopsUser) && count(array_intersect($xoopsUser->getGroups(), unserialize($conf['groups_denyipmove'], ['allowed_classes' => false])))) { |
||
166 | $protector->purge(true); |
||
167 | } |
||
168 | } |
||
169 | $_SESSION['protector_last_ip'] = $ip->asReadable(); |
||
170 | |||
171 | // SQL Injection "Isolated /*" |
||
172 | if (!$protector->check_sql_isolatedcommentin((bool)(isset($conf['isocom_action']) ? $conf['isocom_action'] & 1 : 0))) { |
||
173 | if (($conf['isocom_action'] & 8) && $can_ban) { |
||
174 | $protector->register_bad_ips(); |
||
175 | } elseif (($conf['isocom_action'] & 4) && $can_ban) { |
||
176 | $protector->register_bad_ips(time() + $protector->_conf['banip_time0']); |
||
177 | } |
||
178 | $protector->output_log('ISOCOM', $uid, true, 32); |
||
179 | if ($conf['isocom_action'] & 2) { |
||
180 | $protector->purge(); |
||
181 | } |
||
182 | } |
||
183 | |||
184 | // SQL Injection "UNION" |
||
185 | if (!$protector->check_sql_union((bool)(isset($conf['union_action']) ? $conf['union_action'] & 1 : 0))) { |
||
186 | if (($conf['union_action'] & 8) && $can_ban) { |
||
187 | $protector->register_bad_ips(); |
||
188 | } elseif (($conf['union_action'] & 4) && $can_ban) { |
||
189 | $protector->register_bad_ips(time() + $protector->_conf['banip_time0']); |
||
190 | } |
||
191 | $protector->output_log('UNION', $uid, true, 32); |
||
192 | if ($conf['union_action'] & 2) { |
||
193 | $protector->purge(); |
||
194 | } |
||
195 | } |
||
196 | |||
197 | if (!empty($_POST)) { |
||
198 | // SPAM Check |
||
199 | if (is_object($xoopsUser)) { |
||
200 | if (!$xoopsUser->isAdmin() && $conf['spamcount_uri4user']) { |
||
201 | $protector->spam_check((int)$conf['spamcount_uri4user'], $xoopsUser->getVar('uid')); |
||
202 | } |
||
203 | } elseif ($conf['spamcount_uri4guest']) { |
||
204 | $protector->spam_check((int)$conf['spamcount_uri4guest'], 0); |
||
205 | } |
||
206 | |||
207 | // filter plugins for POST on postcommon stage |
||
208 | $protector->call_filter('postcommon_post'); |
||
209 | } |
||
210 | |||
211 | // register.php Protection - both core and profile module have a register.php |
||
212 | // There should be an event to trigger this check instead of filename sniffing. |
||
213 | $scriptFilename = Request::getString('SCRIPT_FILENAME', '', 'SERVER'); |
||
214 | if (basename($scriptFilename) == 'register.php') { |
||
215 | $protector->call_filter('postcommon_register'); |
||
216 | } |
||
217 | |||
218 | return null; |
||
219 | } |
||
220 |
Let?s assume that you have a directory layout like this:
and let?s assume the following content of
Bar.php
:If both files
OtherDir/Foo.php
andSomeDir/Foo.php
are loaded in the same runtime, you will see a PHP error such as the following:PHP Fatal error: Cannot use SomeDir\Foo as Foo because the name is already in use in OtherDir/Foo.php
However, as
OtherDir/Foo.php
does not necessarily have to be loaded and the error is only triggered if it is loaded beforeOtherDir/Bar.php
, this problem might go unnoticed for a while. In order to prevent this error from surfacing, you must import the namespace with a different alias: